[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Nmh-workers] XOAUTH2 integration, and a few questions

From: Ken Hornstein
Subject: [Nmh-workers] XOAUTH2 integration, and a few questions
Date: Tue, 28 Jun 2016 16:39:29 -0400

Howdy all,

I've been meaning to look at the xoauth2 branch for a long time now, so
I finally sat down to look at it.  I had a few questions; I guess Eric
is probably the best person to answer them, but if anyone else knows
the answers then feel free to speak up.

- From looking at the protocol document and the source code, it seems
  that (using RFC 6749 termology) mhlogin gets an OAuth Authorization
  Grant (involving the user's browser), and then uses it to get an
  access token and a refresh token, and stores those in a credential
  file (by default: oauth-gmail).  Is that correct?  Under what
  circumstances will the refresh token be invalidated?

- If the access token is old, the refresh token is used to get a new
  one.  When you have an up-to-date access token, it's used to constrct
  the SASL exchange for the XOAUTH2 mechanism.  Is that correct?

In terms of the implementation ... I see only one wart that I dislike.
It looks like the access token is constructed by send(1) and passed down
in base64-encoded form to post(8) via the -authservice switch.  I really
think it would be preferrable to just pass down the 'real' authservice
flag and have post(8) (well, probably the SMTP code) construct the
access token.  If there's a reason it's done the way it is now, I
would like to understand it.

I think it's almost ready to go; do other agree?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]